From 8ee0ea62d669f59246c8727d89a860bb6d6082f8 Mon Sep 17 00:00:00 2001

From: Simo Sorce <simo@redhat.com>

Date: Tue, 14 Jan 2014 10:09:37 -0500

Subject: [PATCH 28/34] Harmonize policy discovery to kdb driver

The KDB driver does not walk the tree back like the original password plugin.

Also we do not store the default policy in the base DN as we used to do in the

past anymore.

So doing a full subtree search and walking back the tree is just a waste of

time.

Instead hardcode the default policy like we do in the kdb driver.

Fixes: https://fedorahosted.org/freeipa/ticket/4085

---

 daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 106 ++++-------------------

 1 file changed, 17 insertions(+), 89 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c

index 2538a4094bd9a166e61b0911e5ea93426092d88a..ef20c4c61bd764bffc426208ff8b99f5d0b782ec 100644

--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c

+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c

@@ -436,75 +436,44 @@ static void pwd_values_free(Slapi_ValueSet** results,

     slapi_vattr_values_free(results, actual_type_name, buffer_flags);

 }

-static int ipapwd_rdn_count(const char *dn)

-{

-    int rdnc = 0;

-    LDAPDN ldn;

-    int ret;

-

-    ret = ldap_str2dn(dn, &ldn, LDAP_DN_FORMAT_LDAPV3);

-    if (ret != LDAP_SUCCESS) {

-        LOG_TRACE("ldap_str2dn(dn) failed ?!");

-        return -1;

-    }

-

-    for (rdnc = 0; ldn != NULL && ldn[rdnc]; rdnc++) /* count */ ;

-    ldap_dnfree(ldn);

-

-    return rdnc;

-}

-

 int ipapwd_getPolicy(const char *dn,

                      Slapi_Entry *target,

                      struct ipapwd_policy *policy)

 {

     const char *krbPwdPolicyReference;

-    const char *pdn;

-    const Slapi_DN *psdn;

-    Slapi_Backend *be;

+    char *pdn = NULL;

     Slapi_PBlock *pb = NULL;

     char *attrs[] = { "krbMaxPwdLife", "krbMinPwdLife",

                       "krbPwdMinDiffChars", "krbPwdMinLength",

                       "krbPwdHistoryLength", NULL};

     Slapi_Entry **es = NULL;

     Slapi_Entry *pe = NULL;

-    int ret, res, dist, rdnc, scope, i;

-    Slapi_DN *sdn = NULL;

+    int ret, res, scope, i;

     int buffer_flags=0;

     Slapi_ValueSet* results = NULL;

-    char* actual_type_name = NULL;

+    char *actual_type_name = NULL;

     int tmpint;

     LOG_TRACE("Searching policy for [%s]\n", dn);

-    sdn = slapi_sdn_new_dn_byref(dn);

-    if (sdn == NULL) {

-        LOG_OOM();

-        ret = -1;

-        goto done;

-    }

-

     pwd_get_values(target, "krbPwdPolicyReference",

                    &results, &actual_type_name, &buffer_flags);

     if (results) {

         Slapi_Value *sv;

         slapi_valueset_first_value(results, &sv;;

         krbPwdPolicyReference = slapi_value_get_string(sv);

-        pdn = krbPwdPolicyReference;

-        scope = LDAP_SCOPE_BASE;

-        LOG_TRACE("using policy reference: %s\n", pdn);

+        pdn = slapi_ch_strdup(krbPwdPolicyReference);

     } else {

-        /* Find ancestor base DN */

-        be = slapi_be_select(sdn);

-        psdn = slapi_be_getsuffix(be, 0);

-        if (psdn == NULL) {

-            LOG_FATAL("Invalid DN [%s]\n", dn);

-            ret = -1;

-            goto done;

-        }

-        pdn = slapi_sdn_get_dn(psdn);

-        scope = LDAP_SCOPE_SUBTREE;

+        /* Fallback to hardcoded value */

+        pdn = slapi_ch_smprintf("cn=global_policy,%s", ipa_realm_dn);

     }

+    if (pdn == NULL) {

+        LOG_OOM();

+        ret = -1;

+        goto done;

+    }

+    LOG_TRACE("Using policy at [%s]\n", pdn);

+    scope = LDAP_SCOPE_BASE;

     pb = slapi_pblock_new();

     slapi_search_internal_set_pb(pb,

@@ -539,54 +508,13 @@ int ipapwd_getPolicy(const char *dn,

     /* if there is only one, return that */

     if (i == 1) {

         pe = es[0];

-        goto fill;

-    }

-

-    /* count number of RDNs in DN */

-    rdnc = ipapwd_rdn_count(dn);

-    if (rdnc == -1) {

-        LOG_TRACE("ipapwd_rdn_count(dn) failed");

-        ret = -1;

-        goto done;

-    }

-

-    pe = NULL;

-    dist = -1;

-

-    /* find closest entry */

-    for (i = 0; es[i]; i++) {

-        const Slapi_DN *esdn;

-

-        esdn = slapi_entry_get_sdn_const(es[i]);

-        if (esdn == NULL) continue;

-        if (0 == slapi_sdn_compare(esdn, sdn)) {

-            pe = es[i];

-            dist = 0;

-            break;

-        }

-        if (slapi_sdn_issuffix(sdn, esdn)) {

-            const char *dn1;

-            int c1;

-

-            dn1 = slapi_sdn_get_dn(esdn);

-            if (!dn1) continue;

-            c1 = ipapwd_rdn_count(dn1);

-            if (c1 == -1) continue;

-            if ((dist == -1) ||

-                ((rdnc - c1) < dist)) {

-                dist = rdnc - c1;

-                pe = es[i];

-            }

-        }

-        if (dist == 0) break; /* found closest */

-    }

-

-    if (pe == NULL) {

+    } else {

+        LOG_TRACE("Multiple entries from a base search ?!");

         ret = -1;

         goto done;

     }

-fill:

+    /* read data out of policy object */

     policy->min_pwd_life = slapi_entry_attr_get_int(pe, "krbMinPwdLife");

     tmpint = slapi_entry_attr_get_int(pe, "krbMaxPwdLife");

@@ -615,7 +543,7 @@ done:

         slapi_free_search_results_internal(pb);

         slapi_pblock_destroy(pb);

     }

-    if (sdn) slapi_sdn_free(&sdn;;

+    slapi_ch_free_string(&pdn);

     return ret;

 }

-- 

1.8.4.2